SecureHash is not secure #15278
Labels
c: Security
For issues that make Matomo more secure. Please report issues through HackerOne and not in Github.
Help wanted
Beginner friendly issues or issues where we'd highly appreciate community's help and involvement.
Milestone
As reported by @Findus23
Not really a vulnerability in itself, but also not secure and might cause issues if someone uses the function without checking in the future. Therefore, I want to document it here.
The function generateSecureHash here is really not secure:
matomo/plugins/Login/PasswordResetter.php
Line 305 in e922479
It hashes the string with $this->hashData which again calls Common::hash which uses the whirlpool hash which is fast and not intended for cryptographic use cases.
The splitting of data is just distraction as with 50000000 Hashes per second on a simple GTX 1060 Ti there is no need to store rainbowtables.
I guess there is no reason to not use the secure slow hashes used for passwords also for password reset tokens.
The text was updated successfully, but these errors were encountered: